Hell, It’s About Time – reddit now supports full-site HTTPS

It may have taken us 9 years, 2 months, and 16 days, but we did it. I’m happy to announce that we now support full-site HTTPS on reddit.com.

When using HTTPS on reddit, your connection will be fully encrypted. Anyone watching your connection (such as WiFi hotspot providers) will be unable to see the plain-text contents of what your browser is communicating with reddit. This helps ensure that your communications with reddit, including your authentication credentials and cookies, will not be viewable through the use of man-in-the-middle attacks.

HTTPS is being served via our new CDN, CloudFlare. The server’s preferred cipher suites make use of ECDHE, meaning that HTTPS connections to reddit will have Forward Secrecy for browsers which support those cipher suites.

You can adjust your account to connect to reddit exclusively through HTTPS using our new security tab in the preferences panel. This setting will cause reddit to send your browser an HSTS policy which will force it to interact with reddit only via HTTPS. It will also cause reddit to redirect any non-HTTPS requests containing your credentials to HTTPS. Please note that we cannot force API clients, such as mobile apps or bots, or certain older browsers, to respect this setting, and as such they may still connect to reddit through non-encrypted HTTP.